Skip to content
This repository was archived by the owner on Jan 30, 2020. It is now read-only.
This repository was archived by the owner on Jan 30, 2020. It is now read-only.

ContentSecurityPolicy headers overwrite each other #159

Closed
#190
Closed
ContentSecurityPolicy headers overwrite each other#159
#190
Labels
bug
Milestone
 
2.10.1
@markushausammann

Description

@markushausammann
markushausammann
opened on Oct 21, 2018
  • I was not able to find an open or closed issue matching what I'm seeing.
  • This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

It's often not allowed or recommended to have several headers with the same name. But there are situations where it is allowed or even necessary. The CSP is one of these.

https://w3c.github.io/webappsec-csp/#multiple-policies

and

https://www.w3.org/TR/CSP2/#content-security-policy-header-field

Imagine a case where a main application creates a CSP and different modules also independently add their own CSPs. The framework MUST render them all separately OR do a preemptive union merge which is what the client would otherwise do. It will (hopefully) quickly become standard practice that modules provide their own CSPs.

Code to reproduce the issue

$headers = $controller->getResponse()->getHeaders();
$headers->addHeader(new ContentSecurityPolicy($someDirectives));
$headers->addHeader(new ContentSecurityPolicy($someOtherDirectives));

Expected results

The expected result is a response with two CSP headers (OR a union merged CSP).

Actual results

The second addition overwrites the first, the response only contains that one CSP.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions